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Policy Compliance Assets 


Qualys Policy Compliance (PC) and Security Configuration Assessment (SCA) perform automated 
compliance assessments on IT systems throughout your network or enterprise architecture. 


Navigate to the following URL to view the “Policy Compliance Assets” tutorial: 


LAB 1 - https:/ /ior.ad/7RDL 


Scannable Host Assets 


Host assets can be added to your Policy Compliance subscription by adding their IP addresses into the 
list of “scannable” assets. 


Add IPs to Subscription Launch Help 


General Information Subscription IPs 


ae Enter IPs and ranges in the field below. See the Help for proper formattin 
Subscription IPs > R ? 
Network: 


You can choose any network. New IPs will be available to all networks, regardless of your selection. Custom 
Host Attributes host attributes will be applied only to the selected network. 


v It is your responsibility to verify that you have permission to scan all IPs submitted. 


IPs:* 
64.41.200.243-64.41.200.251 


(ex: 192.168.0.200,192.168.0.87-192.168.0.92, fe80::250:56ff:fe90:aaa0, fe80::250:56ff:fe90:aaa1) 
Validate IPs through Whois 


Add To: 


= Vulnerability Management | pc | Policy Compliance 
LD A Unlimited 
EX Security Configuration Assessment ~) | CERT | CertView 


cart) ED 


After entering one or more IP addresses, select the PC application module or the Security 
Configuration Assessment (SCA) module. 


Agent Host Assets 


Host assets can also be added to your Policy Compliance subscription by installing one or more 
Qualys Cloud Agents (with the PC or SCA module enabled) on targeted host assets. 


New Activation Key 


Turn help tips: On | Off x 
Create a new activation key 


An activation key is used to install agents. This provides a way to group agents and better manage your account. By default 
this key is unlimited - it allows you to add any number of agents at any time. 


Title Compliance Lab Activation Key 


{ Compliance Lab 


Provision Key for these applications 
Asset Inventory Patch Management 
Activations managed by Al 25 Activations Remaining 
Vulnerability Management PC Policy Compliance 
15 Activations Remaining 15 Activations Remaining 


Secure Config Assessment 
15 Activations Remaining 


Unlimited Key | Generate 


Alternatively, you can activate the PC or SCA module after Cloud Agent has been installed. 


æ Agent Management Agents ActivationKeys Configuration Profiles 


Saved Searches + 


Search... 


mor 


g Agent Host os Version Last Activity 


M EC2AMAZ-EJUF2È2 ® Microsoft Win... 4.0.0411 Manifest Downloaded 


View Asset Details 
| Add Tags 


Assign Config Profile 
=> Activate Agent 
Uninstall Agent 


Deactivate Agent for FIM or IOC or PM or SA 


From the Qualys Cloud Agent application, open the “Quick Actions” menu for any host and select the 
“Activate Agent” option. 


Activate Agent 


Activate this cloud agent for the modules selected below. 


The cloud agent platform will start to continuously perform host assessments and report security threats 
using this agent. A license, if available, will be consumed for each agent activated. 


Vulnerability Management 
Not activated. Your agent(s) are not activated for VM. 


14 available of 15 total activations 


Policy Compliance 
1 agent(s) will be activated for PC. 


14 available of 15 total activations 


Secure Configuration Assessment 
Not activated. Your agent(s) are not activated for SCA. 


15 available of 15 total activations 


Activate 


Toggle the PC or SCA switch to the “ON” position and click the “Activate” button. Agents can be 
activated in bulk, using the Cloud Agent Application Program Interface (API). 


Control Library 


The Control Library contains thousands of technical controls, which form the building blocks for all 
policies. Each control has its own unique Control ID (CID). 


Types of Controls 


System Defined Control (SDC) - These are controls provided by Qualys. 
& User Defined Control (UDC) - These are custom controls that users create. 


The Control Library contains System Defined Controls (provided by Qualys), which are designed 
around various regulatory requirements, standards, frameworks, benchmarks and best practices. 


You can also add your own “custom” User Defined Controls (UDCs) to the Control Library 


User Defined Controls 


User Defined Controls (UDCs) extend the coverage already provided by System Defined Controls 
(SDCs). UDCs created and customized by an end user, are automatically added to the Control Library. 
You can create any number of custom UDCs, to meet the specific needs of your organization. 


File Content Check UDC 


Much useful configuration data can still be found within text-based files (especially on Unix and Linux 
systems). The “File Content Check” control type, allows you to enumerate the contents of a text- 
based file. 


Navigate to the following URL to view the “File Content Check UDC” tutorial: 


PLAY J LAB 2 - https://ior.ad/7S4L 


The objective in this example, is to ensure that remote access (via SSH) is disabled for the ‘root’ user 
account. The Scan Parameters specify the targeted datapoint or configuration setting this control will 
evaluate. 


Scan Parameters* 
The scan parameters, or data point, indicate what location, file, or setting for the scan to check. 


File path letc/ssh/sshd config 
Regular expression \s*[*#] 


Data Type: Line List 


Description: * List uncommented lines in sshd_config. 


In this example, only uncommented lines (“\s*[4#]) within file ‘/etc/ssh/sshd_config’ will be 
collected. 


When the uncommented lines from file 'sshd config” are listed, they are then compared to this 
control's “Default Value.” 


Default Values for Control Technologies 


Default values are automatically assigned when you click the check box for a technology. 


Rationale: * Fail any host that permits the 'root' account to login remotely. 


Cardinality: * match none 
Operator: * regular expression 


Default Value: APermitRootLogin\s*yes$ | Lock Value 


The cardinality setting of “match none,” will ensure host assets FAIL this control test, if any of the 
lines in ‘sshd_config’ contain the setting that allows the ‘root’ account to login remotely (i.e., 
APermitRootLogin\s*yesS). 


Once the Default Value has been configured, it must then be assigned to specific OS and/or software 
technologies. 


File Integrity Check UDC 


Integrity checks can help you to identify when updates or changes are made to critical or sensitive 
files or directories. Qualys Policy Compliance provides integrity check UDCs for Windows and Linux 
hosts. In this lab tutorial, you’ll create a User Defined Control (UDC) to perform a file integrity check 
ona UNIX host. 


Navigate to the following URL to view the “File Integrity Check UDC” tutorial: 


PLAY J LAB 3 - https://ior.ad/7S40 


The objective in this example, is to collect the hash value for file ‘etc/hosts’ to determine if the file 
has been modified or changed. The Scan Parameters specify the targeted datapoint or configuration 
setting this control will evaluate. 


Scan Parameters* 


The scan parameters, or data point, indicate what location, file, or setting for the scan to check. 


File path letc/hosts 

Hash Type SHA-256 

Data Type: String 

Description: * Has the /etc/hosts file been changed or modified? 


In this example, an SHA-256 hash of file ‘/etc/hosts’ is collected and then compared to this control's 
“Default Value.” 


When configuring the Default Value, you have the option to manually enter the file's present hash 
value or you can have it automatically collected by a Qualys scanner or agent. 


Default Values for Control Technologies 


Default values are automatically assigned when you click the check box for a technology. 


Rationale: * Use the hash value, collected from the previous scan, to evaluate the present 
hash value. 


Operator: * regular expression 
Default Value: (C Lock Value 


Use scan data as expected value 


Choose this option if you want to calculate Pass/Fail status for this control by 
comparing scan data from the previous scan and the latest scan. 


This option is used in conjunction with the option "Auto Update expected value". 
For network scans this option is set in the option profile. 
For cloud agent scans this is set under Agent Scan Options for this control. 


Select the “Use scan data as expected value” check box (above), to automatically collect and update 
the hash value of the targeted file, using compliance scan results. 


Agent Scan Options 


Auto Update Expected Value 
When enabled, we'll update this control's expected value with the actual value collected from 
each cloud agent scan. 
You must also enable “Use scan data as expected value” in this control (under Control 
Technologies). 
To create reports reflecting results for each agent scan, schedule your compliance reports to 
run in between the scan interval defined for your agents. 


When the “Use scan data as expected value” option is used with Qualys agent hosts, the “Agent Scan 
Options” within the UDC (above), should be configured to “Auto Update Expected Value.” 


Launch Help 


Edit Compliance Profile 


Compliance Profile Title Scan 


car > Integrity Monitoring 
This setting applies to file and directory integrity checks configured with “Use scan data as expected value”. 


System Authentication 
When enabled, we'll update the control expected value used for posture evaluation with the actual value returned by the scan. 


Additional 
Auto Update expected value 


Tan ATON Aa an a pren 


For Qualys scanners, this same option is configurable, under Integrity Monitoring, within the “Scan” 
section of a Compliance Profile. 


Registry Value Content Check UDC 


The Windows System Registry contains a wealth of information that can be used to validate 
thousands of compliance and auditing objectives. Registry Value Content Checks permit you to 
validate or verify the content of any registry value. 


Navigate to the following URL to view the “Registry Value Content Check UDC” tutorial: 


PLAY J LAB 4 - https://ior.ad/7S4N 


The objective in this example, is to ensure remote access is disabled on targeted Windows hosts. The 
Scan Parameters specify the Registry Value this control will evaluate. 


Scan Parameters* 


The scan parameters, or data point, indicate what location, file, or setting for the scan to check. 


Registry Hive HKEY LOCAL MACHINE (HKLM) 
Registry Key SYSTEM\CurrentControlSet\Services\TermService 
NAME Start 


Data Type: Integer 


Description: * Return the system "start-up" value for Terminal Service (RDP). 


In this example, the system “start-up” value (Registry Value = Start) is collected for Windows 
Terminal Service and then compared to this control’s “Default Value.” 


Default Values for Control Technologies 
Default values are automatically assigned when you click the check box for a technology. 


Rationale: * Verify Terminal Service (RDP) is Disabled. 


Operator: * equal to 


Default Value: 4 [ ] Lock Value 


A “Startup” value of “4” specifies that Terminal Service is disabled: 
e 2= Automatic 
e 3= Manual 
e 4- Disabled 


To meet the objective of this control, hosts with a value of four (4) will receive a PASS result. 


WMI Query Check UDC 


This User Defined Control (UDC) will use a WMI Query to enumerate the running processes on a 
Windows host. This list can then be evaluated to identify the absence of REQUIRED applications, 
and/or the presence of PROHIBITED applications. 


Navigate to the following URL to view the “WMI Query Check UDC” tutorial: 


PLAY J LAB 5 - https://ior.ad/7S4K 


The objective in this example, is to identify the presence of prohibited or suspicious applications that 
may be running on a host. The Scan Parameters specify the targeted datapoint or configuration 
setting this control will evaluate. 


Scan Parameters* 


The scan parameters, or data point, indicate what location, file, or setting for the scan to check. 


Namespace Root\Cimv2 
Query SELECT Name FROM Win32_Process 


Data Type: String List 


Description: * List All Running Processes 


The query in this example will return the list of running process names, from targeted Windows 
hosts, which are then compared to the list of “prohibited” applications. 


Default Values for Control Technologies 
Default values are automatically assigned when you click the check box for a technology. 


Rationale: * Identify prohibited or suspicious software applications. 


Cardinality: * does not contain 


Operator: * string list 


Default Value: wireshark.exe 
zenmap.exe 


If any of the “prohibited” applications are found to be running on a target host, this control test will 
produce a FAIL result. The “does not contain” cardinality is required here, to achieve this outcome. 
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Compliance Scanning 


Whether performed by a Qualys scanner or agent, compliance scans collect data points (defined in 
the Qualys Control Library) from host assets in your account. When new controls are added to the 
library, additional scans are required to collect their associated data points. 


Agent Scans 


Qualys Cloud Agent compliance scans, are automatically performed at configurable intervals. 


Configuration Profile Edit Tum help tips: On | Off Xx 
Edit Mode Configure Scan Interval for Policy Compliance 
General Info Configure the interval at which the agent collects data for Policy Compliance for the assets 


associated with this profile. 
Blackout Windows 
Data Collection Interval* 


The time lapse between the completion of the previous scan and the start of the 
next scan 


240 min (240 - 43200) 
Performance 


Assign Hosts 


VM Scan Interval 


SCA Scan Interval 


PM 


canei EB 


You can customize the “Data Collection Interval” from every four hours, to every 30 days. 


From the “Middleware Assets” tab (within the Policy Compliance application) use the “Actions” 
button to “Activate Middleware Assessment” (for selected host assets). 


Dashboard Policies Scans Reports Exceptions Assets Users 


12 Assets Asset Groups Host Assets Middleware Assets Asset Search Setup 
= 


m on = Hostname os Middleware Technology Status 
Deactivate Middleware Assessment | 


ws2016dfw210 Windows Server 2016 Standard 64 bit Edition Version CHROME Successful Activation 
1607 1 Instance Found 


Clear Selections 


192.168.1.210 Windows Server 2016 Standard 64 bit Edition Version IEXPLORER Successful Activation 
1607 1 Instance Found 

192.168.1.210 Windows Server 2016 Standard 64 bit Edition Version IIS ‘Successful Activation 
1607 1 Instance Found 

192.168.1.220 Windows 10 Enterprise 64 bit Edition Version 1903 CHROME Successful Activation 
1 Instance Found 


192.168.1.220 Windows 10 Enterprise 64 bit Edition Version 1903 FIREFOX Successful Activation 


This will add the Middleware technology manifest to selected agent hosts. 
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Alternatively, enable Middleware Assessments for all agent hosts in your PC or SCA subscription. 


Middleware Assessment Setup 


Enable Middleware assessment on agents activated for config assessment as soon as the 
middleware technologies are detected on your assets. 


Enable Middleware Assessment by default 


From the PC/SCA application, navigate to: Assets 5 Setup 5 Middleware Assessment. 


Presently, Qualys Cloud Agent supports the following Linux and Windows middleware technologies. 


Linux Agent 2.8.x Windows Agent 4.0.x 
RHEL/OEL/CentOS/Ubuntu/Amazon Linux All Windows flavors 


Apache Tomcat 7, 8, 9 Apache Tomcat 7, 8, 9 

Pivotal tc Server 3.x MS IIS 7, 8, 10 

vFabric tc Server 2.9.x Internet Explorer 9, 10, 11 

Docker 1.x, Docker CE/EE Microsoft Office (Access, Excel, Outlook, PowerPoint, 
Word) 2013, 2016, 2019 


Middleware includes software that provides common services and capabilities to applications 
outside of what's offered by the operating system. 


Agent Middleware Technologies Discovered 


Middleware technology instances discovered during Qualys Cloud Agent scans, are displayed under 
the “Middleware Assets” tab, within the PC/SCA application. 


Dashboard Policies Scans Reports Exceptions Assets Users 


t= Assets Asset Groups Host Assets Middleware Assets Asset Search Setup 


Now w | | Search Ov 


ip + Hostname os Middleware Technology Status 


192.168.1.233 ws2012dfw233 Windows Server 2012 R2 Standard 64 bit Edition CHROME Successful Activation 
1 Instance Found 


192.168.1.233 ws2012dfw233 Windows Server 2012 R2 Standard 64 bit Edition IEXPLORER Successful Activation 
1 Instance Found 

192.168,1.233 ws2012dtw233 Windows Server 2012 R2 Standard 64 bit Edition ns Successful Activation 
1 Instance Found 


192.168,1,242 ws2016dfw242 Windows Server 2016 Standard 64 bit Edition Versio] CHROME Pending Activation 
1607 1 Instance Found 


192.168,1.242 ws2016diw242 Windows Server 2016 Standard 64 bit Edition Versio] IEXPLORER Pending Activation 
1607 1 Instance Found 


192.168.1.242 ws2016diw242 Windows Server 2016 Standard 64 bit Edition Versiod] IIS Pending Activation 
1607 1 Instance Found 


172.31.28.174 ec2amaz-jtin3v2 Windows Server 2019 Datacenter 64 bit Edition FIREFOX Successful Activation 
Version 1809 Build 17763 1 Instance Found 


You can “Activate Middleware Assessments” for individual hosts or all PC/SCA agent hosts. 
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Scanner Appliance Scans 


To complete a compliance scan, using a Qualys Scanner Appliance, you must provide: 
1. Host authentication credentials (via Qualys Authentication Record) 


2. Your scanning options and preferences (via Qualys Compliance Profile) 


Compliance Profile 


A Compliance Profile contains your scanning options and is a required component of every 
compliance scan. 


Navigate to the following URL to view the “Compliance Profile” tutorial: 


PLAY J LAB 6 - https:/ /ior.ad/7SdX 


Scan by Policy 


By default, a Qualys scanner will attempt to collect all data points that have been defined within the 
Control Library (depending; of course, on the host technologies targeted by the scan). 


Scan restriction 
# Scan by Policy 
Restrict scans to controls in selected policies. You can choose up to 20 policies to scan. By default Qualys scans for all 


applicable controls. 


NIST 800-53 Rev 4 for Linux v.3. M 


You can choose one policy at a time. 


v If you add controls to the policies below, please be sure you scan them again. 


Actions 


© 
2 


The “Scan by Policy” option allows you to restrict your compliance scans to focus exclusively on data 
points contained within the policies you specify. 


The "Scan by Policy" option is required for compliance scans performed within the Qualys Security 
Configuration Assessment (SCA) application. 
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Integrity Monitoring 


The "File Integrity Check" control type you created earlier, is configured to "Use scan data as 
expected value." 


Edit Compliance Profile 


Compliance Profile Title Scan 


naka 


This setting applies to file and directory integrity checks configured with “Use scan data as expected value". 
System Authentication When enabled, we'll update the control expected value used for posture evaluation with the actual value returned by the scan. 


Additional Auto Update expected value 


To ensure this works successfully, select the check box to "Auto Update expected value," here in the 
“Scan” section of the Compliance profile. 


This same option (Auto Update expected value), was configured for AGENT host assets, within the 
"File Integrity Check" UDC (see Lab Tutorial: “File Integrity Check UDC”). 


Control Types 


To improve scan performance, both Integrity Monitoring and WMI Query Check control types are 
disabled (by default), and must be explicitly selected within each Compliance Profile. 


Edit Compliance Profile Launch Help 
Compliance Profile Title Scan 


Scan Control Types 


These control types are disabled by default to improve performance. Select each control type you want to include in the scan. 
System Authentication 


File Integrity Monitoring controls enabled 


Additional 


© Custom WMI Query Checks 


= Integrity Monitoring - Enable to collect the hash values needed to perform integrity checks 
on both Unix and Windows systems. 


= WMI Query Checks - Enable to perform WMI queries on Windows systems. 


Dissolvable Agent 


The "Dissolvable Agent" works exclusively with Windows hosts and helps to collect compliance data, 
especially when the Windows Remote Registry Service is unavailable. 


Edit Compliance Profile 


Compliance Profile Title Scan 


Dissolvable Agent 


Scan > 
The Dissolvable Agent has been accepted for your subscription. You can now select it for this profile, and select scan features that 
ire the Agent. 
System Authentication ee PA NGN 
Enable the Dissolvable Agent 
Additional Enable Password Auditing 


Custom password dictionary: 0 entries Configure... 


Enable Windows Share Enumeration 


Enable Windows Directory Search 


Optionally, you can enable Password Auditing, Windows Share Enumeration, or Windows Directory 
Searches, once the Dissolvable Agent has been accepted and enabled. 
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= Password Auditing - Perform password auditing tests to identify user accounts with: empty 
passwords (CID 3893), passwords equal to the user name (CID 3894), or passwords found in 
your own custom password dictionary (CID 3895). 


=" Windows Share Enumeration - Find Windows shares that are readable by everyone and 
report the number of files for each share on each host (Control ID 4528) and whether the 
files are writable. This is good for identifying groups of files that may need tighter access 
control. 


= Windows Directory Search - Select this option to include one or more Windows Directory 
Search UDCs in the scan, that search for files/directories using many criteria such as file 
name, user accounts, and specific user access permissions. 


At scan time, Dissolvable Agent is installed on Windows devices to collect data, and once the scan is 
finished it is completely removed from target systems. 


For more Compliance Profile details, enroll in the “Policy Compliance Strategies & Best Practices Self- 
Paced Training” course (qualys.com/learning). 
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Launch Compliance Scan 


Before launching or scheduling a compliance scan, ensure you have the correct scanning options 
defined in a Compliance Profile and that you have created Authentication Records for the host assets 
you intend to target. 


Navigate to the following URL to view the “Compliance Scan” tutorial: 


LAB 7 - https:/ /ior.ad/7RC3 


To be successful, compliance scans must be performed in “authenticated” mode. If a Qualys scanner 
fails to authenticate to a host, it will not attempt to collect its compliance data and will simply move 
to the next host target. 


= Scans | pc Scans Schedules Option Profiles Setup 


New w 1-20f2 + 


[_] Type a Title a IPs #IPs Owner Template Reco Details 
© Unix Root Delegation via 'sudo' 64.41.200.243-64.41.200.245, 64.41.200.250 4 trann3zj92 PM (Manager) Details ©. 
© Windows Domain Admin o trann3zj92 PM (Manager) Details © 


Lana Dan À 


To view authentication results (from scans already completed), just click the “Details” link at the 
right-side of any Authentication Record. Alternatively, you can view authentication results by 
creating an Authentication Report. 


Launch Compliance Scan Tum help tips: On | Off Launch Help 


General Information 


Give your scan a name, select a scan profile (a default is selected for you with recommended settings), and choose a 
scanner from the Scanner Appliance menu for internal scans, if visible. 


Title: Compliance Scan 


Compliance Profile: Compliance Lab Options @ M B View 


Scanner Appliance: External © Mi 


Choose Target Hosts from 
Tell us which hosts (IP addresses) you want to scan. 
QO Assets Tags 
Asset Groups AG: San Jose 
IPs/Ranges 
192.168.0.87-192.168.0.92, 192.168.0.200 


Exclude IPs/Ranges 


When launching a compliance scan, you must provide: 1) Title, 2) Compliance Profile, 3) Scanner 
Appliance, and 4) Target Hosts. 
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When choosing a target host, select from: Asset Groups, Asset Tags, or IPs. 


Choose Target Hosts from 


Tell us which hosts (IP addresses) you want to scan. 
Assets © Tags 


Use IP Network Range Tags For Include 
Choose from tags defined with IP address rules. This will allow you to scan the entire IP range(s) in each 
selected tag. 


Include hosts that have Any Lx of the tags below. Add Tag 


@ AG: San Jose 


Use IP Network Range Tags For Exclude 
Choose from tags defined with IP address rules. This will allow you to exclude the entire IP range(s) in each 
selected tag. 


Do not include hosts that have Any |» of the tags below. Add Tag 


Launch | Cancel 


You can monitor the status of any compliance scan, from the “PC Scans” tab. All scans are initially 
queued, before they begin running. Note: scans can only collect data points for controls already in 
the Controls Library. 


Scan Results 


When a compliance scan is finished, any “Authentication Issues” encountered during the scan will be 
included in the scan results. 


GB Authentication issues found! 


1 host returned insufficient privileges for compliance data collection. 


Hosts with Insufficient Privilege (Showing 1 of 1) 


DNS IP NetBIOS Instance Cause 
demo16 64.41.200.246 DEMO16 os Insufficient privileges 


Application technologies found on the host are also listed in the scan results. 


Application technologies found based on OS-level authentication 


Google Chrome was found for these hosts 
Google Chrome (Windows) 
64.41.200.247 


Internet Explorer was found for these hosts 
Internet Explorer 10 

64.41.200.249 
Internet Explorer 11 

64.41.200.248, 64.41.200.251 


Mozilla Firefox was found for these hosts 
Mozilla Firefox (Windows) 
64.41.200.247 
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Policy Scope 
Any policy you create or import, must identify the host assets it will audit; this is known as the Policy 
Scope. Both Asset Groups and Asset Tags are used to define the “scope” of a policy. 


This tutorial, creates an Asset Group containing the Training Lab IPs and then identifies its matching 
Asset Tag that is automatically generated. 


Navigate to the following URL to view the “Asset Groups 8: Tags” tutorial: 


PLAY J LAB 8 - https://ior.ad/7RCh 


Asset Groups 


Asset Groups allow you to group host assets within your Qualys Account. Simply create a new Asset 
Group and manually add IP address members. A single IP address can be a member of multiple Asset 
Groups. 


Edit Asset Group : ‘AG: Compliance Lab" Launch Help x 


Asset Group Title 
bd IP Hosts 


IPs > Use the selections below to designate which hosts this asset group will contain 


DNS Enter or Select IPs/Ranges: Select IPs/Ranges | Select Asset Group | Remove | Clear 


64.41.200.243-64.41.200.251 
NetBIOS 
Domains 
Users 
Business Info 


Comments 


(_) Display each IP/Range on new line 


Optionally, Asset Group members can also be added by their DNS or NetBIOS names. 


To help distinguish Asset Groups from Asset Tags with similar names, the Asset Group “Title” 
commonly begins with the “AG:” prefix (e.g., AG: Compliance Lab). 
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Asset Tags 


The Qualys platform will automatically create a matching Asset Tag for each Asset Group you add to 
your account. All matching Asset Tags are initially placed under the “Asset Groups” hierarchy 
(Parent Tag above). 


© Qualys 


Global IT Asset Inventory 


© Asset Groups Parent Tag 


©! AG: Compliance Lab Child Tag 
| Cloud Agent 


| Malware Domain.. 


Business Units 


[internet Facing... 


Static Tags - Are assigned manually to host assets and are commonly used as the starting point of an 
Asset Tag Hierarchy. 


Dynamic Tags - Host assignment is determined by an Asset Tag Rule Engine and dynamically changes 
with updates to a host. 


Asset Tag Hierarchy - Tags are typically nested, creating various parent/child relationships. A child 
tag should represent a subset of its parent tag. 


Policy Scope 


The Asset Groups and Asset Tags within your account, will serve to define the “scope” of the policies 
you create. 


include agent hosts. 


Choose Target Hosts from 


nain oilt à caniin G3 bees i 
You can select a combination of asset groups and asset tag] Edit policy assets. Tell us the hosts you want to analyze for compliance with this policy. Have 


Cloud Agent? You can also include agent hosts. 
@ Asset Groups = Tags 


Choose Target Hosts from 


You can select a combination of asset groups and asset tags, and we'll evaluate the policy 


against all matching hosts. 
Search asset groups 


Asset Groups @ Tags = 


Include hosts that have Any of the tags below. 


AG: San Jose 


Hosts with Cloud Agents 


Inch li he Pi 
include all hosts with PC agents { Windows Server 


Cancel 


When building Asset Groups and Tags, keep in mind the host assets you will assess for compliance. 
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Create Policy 


A Qualys Policy contains controls that reflect the requirements of security frameworks, regulations, 
standards, mandates, benchmarks and your own internal security policies. The Qualys Policy 
Compliance applications offers multiple ways to create a policy: 


Create a New Policy 


Choose a policy source 
How do you want to begin your policy? Select from the options below to start creating your new policy. 


Empty Policy Existing Host From Library XML File 


D ka TA 


Build a policy from scratch Build a policy from a Choose from one of the Upload a policy from your 
previously scanned host policies in our library local file system 


e Empty Policy - Build a policy from scratch. 

e Existing Host - Build a policy from a previously scanned host. 

e From Library — Choose from one of the policies in the Qualys Policy Library. 
e XML File — Upload a policy from your local file system. 


Regardless of which method you choose, all policies must contain three basic components: 1) 
technologies, 2) controls, and 3) host assets. 


Required Policy Components 


The following components are required for all Policies you create: 


POLICY 


1. All policies must have one or more 
technologies: 
+ Operating System 
+ Service/Application 


Technologies 


Controls 2. Add SDCs and/or UDCs to a policy, from the 
Control Library or other policies. 


3. Add hosts to a policy to define its scope: 
Target + Asset Groups 
Hosts + Asset Tags 


20 


Import Policy from Library 


The Policy Library contains hundreds of compliance policies, designed to meet the objectives of 
popular mandates, frameworks, regulations, standards, and benchmarks. 


Create a New Policy 


Ec Policy from Library: Choose from one of the policies in our library. 


Find the policy that best suits your needs. Our Compliance Policy Library contains several sample policies based on popular compliance frameworks, 
including SOX, HIPAA, CoBIT and more. Click on one of the policies below, and then click Next to import it. 


Technologies Policies (549) 


AIX 6.x 
AK 7x i 
[C] Amazon Linux 2 AMI Bi Version 8.0 05/17/2020 View Description | View Policy 


m CIS Benchmark for IBM AIX 6.1, v1.1.0 [Scored, Level 1] 


[C] Amazon Linux AMI 
C Apa UTP Senet ees CIS Benchmark for IBM AIX 6.1, v1.1.0 [Scored, Level 1 and Level 2] 
] Apache HTTP Server 2.4.x a 
— Version 7. 05/17/2020 
Mandate [1 Apache Katka @ Version 7.0 05/17/2020 View Description | View Policy 
Qualys ] Apache Tomcat 6.x 
C Apache Tomcat 7.x CIS Benchmark for Apache Tomcat 6.0 v1.0.0 [Scored and Not Scored, Level 1] 


Vendor = 
Apache Tomcat 8.x 


@ version 3.0 10/29/2019 View Description | View Policy am 
OCA [C] Apache Tomcat 9.x 
DISA STIG Apple Safari 11.x 

[C] Apple Safari 12.x a 
[C] Apple Safari 13.x M Version 3.0 10/29/2019 View Description | View Policy ~A 


CIS Benchmark for Apache Tomcat 6.0 v1.0.0 [Scored and Not Scored, Level 1 and Level 2] 
Remote 


Navigate to the following URL to view the “Import Policy From Library” tutorial: 


LAB 9 - https://ior.ad/7SgD 


Add Assets 


After importing a policy from the library, the policy technologies and controls are automatically 
added. Before saving an imported policy, you will need to add host assets. 


The “scope” of a policy, defines the host assets that will be audited by the policy. 


Asset Groups (0) Tags (0) Edit | Hide 


You have no assets assigned to this policy 


yet. 


You can add assets to a policy using Asset Groups or Asset Tags. 
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Edit Assets 


Edit policy assets. Tell us the hosts you want to analyze for compliance with this policy. Have Cloud Agent? You can also include 
agent hosts. 


Choose Target Hosts from 
You can select a combination of asset groups and asset tags, and we'll evaluate the policy against all matching hosts. 


Asset Groups Tags 
ig: 


Search asset groups | Remove All 


AG: San Jose View | Remove 


Hosts with Cloud Agents 
Include all hosts with PC agents 


Cancel 


By default, Asset Groups do not include Cloud Agent hosts. The check box to “Include all hosts with 
PC agents,” allows you to include agent hosts, when Asset Groups are used to define the scope. 


Asset Tags; on the other hand, support both "scannable" as well as "agent" host assets, by default. 


Sections 
Title 


Account Policies 

Local Policies 

System Services 

Windows Firewall With Advanced Security 


Advanced Audit Policy Configuration 


The "Evaluate now" option, will evaluate all controls in a policy (against current scan results) when 
the policy is saved. 


The Policy Compliance application has many out-of-box policies (below) for OCA asset technologies. 


Create a New Policy 


[==] Policy from Library: Choose from one of the policies in our library. 


Find the policy that best suits your needs. Our Compliance Policy Library contains several sample policies based on popular compliance frameworks, 
including SOX, HIPAA, CoBIT and more. Click on one of the policies below, and then click Next to import it. 


Labels Technologies Policies (15) 
All = pane EE =) Security Configuration and Compliance Policy for Cisco FTD 6.x (OCA) 
C Brocade Fabric 7.x = 
New [C Brocade Fabric 8.x @ Version 1.0 01/13/2020 View Description | View Policy 
Updated C Cisco FTD 6x 
cis C Cisco WLC 8.x = Security Configuration and Compliance Policy for Cisco WLC 8.x (OCA) 
C Comware 5 = É Version1.0 01/13/2020 View Description | View Policy 
Mandate C Comware 7 
Qualys [] Data Domain OS 5.x = | ue | | 
De [1 FireEye CMS 7x = “pied orgue di ts for Brocade Fabric 7.x (OCA) 
[C FireEye CMS 8x Version 1.0 07/23/2019 View Description | View Policy 
OCA ] HP Printers 
DISA STIG C] HP Safeguard = Security Configuration and Compliance Policy for Brocade Fabric 8.x (OCA) 
oe [1 HPE SPAR OS 3.x @ version 1.0 07/23/2019 View Description | View Policy 


TIP: Use the OCA Asset Tag to define the “scope” of an OCA policy. 
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Create Empty Policy 


In this exercise, you will create a ‘blank’ policy, and manually add all policy components (i.e., 
technologies, assets, and controls). 


Navigate to the following URL to view the “Create Empty Policy” tutorial: 


LAB 10 - https://ior.ad/7Shz 


Add Technologies 


Before you can create an empty policy, you must first select one or more technologies. 


Edit Technologies x 


Edit policy technologies. Your selection makes up the global technologies list for the policy and determines which controls can be 
added to the policy. Note - You can change the technologies at any time from within the Policy Editor. 


Technologies Select at least one technology. REQUIRED 


Search technologies: ee 
CentOS 6.x Remove 
Oracle Enterprise Linux 5.x Remove 
Oracle Enterprise Linux 7.x Remove 
Windows 10 Remove 
Windows 2008 Server Remove 
Windows 2012 R1/R2 Active Directory Remove 
Windows 2012 Server Remove 


Windows 7 Remove 


Although our lab tutorial combines both Unix and Windows technologies together in the same policy, 
some prefer (for simplicity) to keep them separate. 


Add Assets 


The “AG: San Jose” asset group (created in the second lab tutorial) spans all of the Unix and Windows 
technologies in this policy. 


Edit Assets 


Edit policy assets. Tell us the hosts you want to analyze for compliance with this policy. Have 
Cloud Agent? You can also include agent hosts 


Choose Target Hosts from 


You can select a combination of asset groups and asset tags, and we'll evaluate the policy 
against all matching hosts. 


Asset Groups © Tags 


Include hosts that have Any of the tags below. 


{© AG: San Jose = 


The “AG: San Jose” Asset Tag was automatically created, when the “AG: San Jose” Asset Group was 
added to your account. 
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Add Controls 


Initially the Policy Editor displays a blank policy. Controls have yet to be added. 
Policy Editor Tum help tips: On 1 Off Launch Help 


Controls = 


< Back to Overview 


midd Conimis.] („copy controls, ) pea 


Reference # CID Statement Technologies  Criticality 


You have not added any controls yet 


> Evaluate now ial 


Controls are added to one or more sections, using either the “Add Controls” or “Copy Controls” 
buttons. 


=" Add Controls - add controls from the control library. 
= Copy Controls - copy controls from another policy. 


Controls added from the Control Library, often need adjustments or tuning. Copying controls from 
another policy, has the advantage of any previous adjustments or tuning you have already made. 


Add controls. Select one or more controls for the policy. Only controls that match at least one technology in your policy and have 
not already been added will be available. 


| Searen 1 - 100 of 3066 Page| 1]0f31:[5] PI 


E] Info Criticality Category Created Modified 

100003 § WMI Query Check Services > 10/14/2020 10/19/2020 
Registry Value Content Check [Entire] Net... c 10/14/2020 10/14/2020 
Unix File Integrity Check Integrity and... sE 10/14/2020 10/14/2020 
Unix File Content Check [Entire] Net... > 10/13/2020 10/13/2020 


Status of the 'RA Based DNS ... URGENT OS Security ... 10/15/2020 10/21/2020 


Status of the 'BIOS Password’ ... URGENT Access Cont... SDC 09/14/2020 09/22/2020 


When attempting to add User Defined Controls (UDCs) to a policy, look for CID numbers starting at 
100,000. 
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Cardinality 


Many of the User Defined Control types in the Qualys Policy Compliance application use the String 
List” or “Regular Expression List” data types, creating a scenario where, a list of values (Y) specified in 
the control, are compared to another list of values (X) collected from a target host. 


The cardinality setting determines how list “X” is compared to List “Y,” to reach the appropriate 
PASS/FAIL outcome. 


CARDINALITY YOU ARE COMPLIANT WHEN 


contains X contains all of Y 

does not contain X does not contain any of Y 

matches All strings in X match all strings in Y (any order) 
intersect Any string in X matches any strings in Y 

is contained in All strings in X are contained in Y 


= X (Actual) = List of values returned by a scan or agent. 
= Y (Expected) = List of values defined by a control. 


The WMI Query Check UDC (created in an earlier lab tutorial) is designed to identify host assets 
running prohibited software, by comparing a list of “prohibited” software applications, to the list of 
running processes collected from a targeted host. 


Identify prohibited or suspicious software applications. 


List the names of running processes. 


«| Wireshark.exe 


does not contain M string list zennmap.exe 


A 


B 
Pleasegnter the IP address you want to test this control against and click Evaluate. 
Ba ag, 64.41.200.248 x| View IPs 
KU 


Control result: The expected value does match the configuration gathered from the target. 


You may change both the target and the expected value and click Evaluate again. 


Actual 
List the names of running processes. 


Last updated: 10/15/2020 at 07:43:57 PM (GMT-0500) 


'System Idle Process’ 
‘System’ 

Registry’ 

'smss.exe' 

'csrss.exe' 


In the lab tutorial example, the “does not contain” cardinality produces the intended outcome, hosts 
will PASS, only if they are NOT running “prohibited” software applications. 
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Changing the cardinality setting from “does not contain” to “contains,” produces a FAIL outcome (as 
expected). The “contains” cardinality would be more appropriate in a “required” software control. 


Identify prohibited or suspicious software applications. 
List the names of running processes. 


contains M string list ~| wireshark.exe 


zennmap.exe 


Pleasegnter the IP address you want to test this control against and click Evaluate. 


iggy À 64.41.200.248 x] View IPs 


Control result: The expected value does not match the configuration gathered from the target. 
You may change both the target and the expected value and click Evaluate again. 


Actual 
List the names of running processes. 


Last updated: 10/15/2020 at 07:43:57 PM (GMT-0500) 
"System Idle Process’ 
‘System’ 
‘Registry’ 
'smss.exe' 
'csrss.exe' 


You can experiment with different cardinality settings, expected values, and even IP addresses, while 


adjusting and tuning a control. Just continue to click the “Evaluate” button to see how your changes 
impact the PASS/FAIL results. 


The test and evaluate capabilities built into the Policy Editor, help to demonstrate one advantage of 
having compliance scan data available, prior to building any policy. 


List the names of running processes. 


does not contain | string list «| wireshark.exe 


nmap.exe O 


Please enter the IP address you want to test this control against and click Evaluate. 


PAL 64.41.200.248 O x ViewlPs nen 


[Control result: The expected value does match the configuration gathered from the target. 
You may change both the target and the expected value and click Evaluate again. 


Date names of running processes. 
Last updated: 10/15/2020 at 07:43:57 PM (GMT-0500) 
"System Idle Process' 
'System' 
'Registry' 
'smss.exe' 


'csrss.exe' 


You can adjust a controls cardinality, data type, expected list of values, and IP address when testing 
and evaluating controls against real host assets (in your account). This part of the tuning process 
commonly performed when adding controls to any policy. 


Any adjustment you make in the Policy Editor will not impact the Default Values (within the Control 
Library); what happens in the policy stays in the policy. 


The testing and evaluation tools in the policy editor require scan data to function properly. 
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contains 


The “contains” cardinality operator is ideal for defining a “Required Software List” 


while a angie rogue appicason can being t the entire process to a halt, the appicatons installed on the System should manch those specitiod as appro 


The following List Swing value(s) X indicata the current list of installed applications (registered with the OS) an the system as datined within] 
the registry key checked 8 HKLMASoftware\/oW6432Node\MicrosoltiWindows\CurrentVerston\ Uninstall, 


Expected contains regular expression list 


= 


OR any of the selected values below: 


No software found 
Key rot found 


Actual 
The following List String value(s) X indicate the current list of installed applications (registered with the OS) on ti 
HKLMSOFTWAREMicrosoff\Windows\CurrentVersion\Uninstall registry key. NOTE: For 64-bit versions, the regis 
HKLM \Software\WoW6432Node\Microsoft\Windows\CurrentVersion\Uninstall, 


Last updated: 01/05/2020 at 21:02:59 (GMT40530) 


WinPcap 4.1.3:4.1.0.2980 
Wireshark 2.6.1 64-bit:2.6.1 

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148:9.0.30729.4148 
Microsoft Visual C++ 2017 Redistributable (x64) - 14.12.25810:14.12.25810.0 
Microsoft Visual C++ 2017 x64 Additional Runtime - 14.12.25810:14.12.25810 
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148:9.0.30729.4148 


rec primary user applications, such as the Microsoft Ofice Suite’ and other supporting software, are critical to the proper u: 
ile a tingle rogue application can bring the entire process to a hali, the applications installed on the system should maich those specified as appn 


The following List String value(s) X indicate the current list of installed applications (registered with the OS) on the system as defined within 
the registry key checked is HKLM\Software\WoW6432Node\MicrosoltWindows\CurrentVersionWninetall 


Expected contains regular expression list 


va 


Actual 
The following List String value(s) X indicate the current list of installed applications (registered with the OS) on the system as defined within the 
HKLM\SOFTWAREMicrosoft\Windows'CurrentVersionWninstall registry key. NOTE: For 64-bit versions, the regstry key checked is 

HKLM\Sottware\WoW6432Node\MicrosofiWindows\CurrentVersion\Uninstall 


Last updated: 01/05/2020 si 21:02:58 (GMT+0530) 
WirPcap 4.1.314,7,0.2980 
Microsoft Visual C++ 2017 x64 Minimum Runtime « 14.12.25810:14. 12 25810 
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148:9.0.30729.4148 
X = Dom Visual c++ 2017 Redistributable x64) - 14.12:25810:14.12.256100 


Microsom Visual C++ 2017 x64 Additional Runtime - 14.12.25810:14.12.25810 
Microsoft Visual C++ 2008 Racistributable - x64 9.0.30729.4148 9.0.30729.4148 
Vitware Took 94.0 1280644 


If any required software element is missing, the host will fail. 
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does not contain 


The “does not contain” cardinality operator is useful if you want to identify the presence of 
prohibited software or services. 


of "Prohibited software applications installed’ [54.41.200,249] 


Passed 
CRITICAL 
Evaluation date: 0204/2020 at 0220:54 PM (GMT +0530) 


F unauthorized, incorrect, or rogue applications can interfere with user worktiow and delay the timely completion of company projects. 
systems, unauthorized, incorrect versions or rogue applications instaled on any system should identified and removed as appropriate to the needs of 


The following List String value(s) X indicate the current list of installed applications (registered with the OS) on the system as defined within ti 
the registry key checked is HKLM\Software\WoW6432Node\Microsoft\Windows\CurrentVersion\Wninstall 


No software found 
ey not found 


Last updated: 01/05/2020 at 21:02:59 (GMT+0530) 


Apple Application Support (32-bit):3.1.3 
Apple Mobile Device Support-8.1.1.3 
Apple Software Update:2.1.3.127 
[Bonjour:3.0.0. 10 

Google Chrome153.0.3239. 132 

(Google Update Helper: 1.3.33.7 
liTunes:12. 1.2.27 

LimePro 2.0.5.6046:2.0.5.6046 
Microsoft NET Framework 1.1:1.1.4322 
Microsoft Antimalware:2.0.6212.2 


rohibited software applications installed’ (64.41.200.249) 


at 08:20:54 PM (GMT +0830) 


dont Onathonzed, incorrect, or rogue app ications can interfere with user workflow and delay the timely completion of company projects. As a 
ystems, unauthorized, incomect versions cr rogue applications installed on any system should identified and remowed as appropriate to the needs of the bul 


The folowing List Siring value(s) X hicada the current list of instalied applications (registered with the OS) on the system as defined wifin the HK) 
the registry key checked is HKLM GoftwarelWoW64I2NodelMicrosoftiW/indowslOurrentVersionUninatall 


No software found 
Key not found 


Last updated: 12102019 at 11:48:40 PM (GMT+0530) 


Microsoft Visual C++ 2006 Recistriputabie - x64 9.0.30729.4148:9.0.390729.4148 
Microsoft Visual C++ 2006 Redistibutabo - x86 9.0.30729.4148:9.0.90729.4148 
Microsof Visual C++ 2017 Recdistibutabio (954) - 14.12 2581014 12.25810.0 
Microsoft Visual C++ 2017 x64 Additional Runtime - 14.12 25610:14.12.25810 
Microsoft Visual C++ 2017 x64 Minimum Runtime - 14,1225810:14.12.25810 
VMware Tools.4.0.1280544 

WinPcap 4 1.34.1.0.2980 

Wireshark 2.6.1 64-b@2.6.1 


If any prohibited item is found, the host will FAIL. 
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matches 


The “matches” cardinality operator determines if one list matches another. 


1.8 - Windows Group Membership Check-Custom Policy with UDCs [64.41.200.249] 


Passed 
Evaluation dajé: 01/09/2020 at 15:42:18 (GMT+0530) 


indows Group Membership Check 


Who are the members of the "Administrators" local group? 


Expocted matches regular expression list 


Administrator 
engrdiab 

Domain Controllers 
Enterprise Admins 
Domain Admins 
qscanner 


Last updated: 01/07/2020 at 20:31:05 (GMT+0530) 


TRN\Administrator 
TRN\engrdiab 
TRN\Domain Controllers 
TRN Enterprise Admins 
TRN\Domain Admins 
TRN\gscanner 


The list of actual values must match the list of expected values (independent of their order), to 
receive a PASS. 


1.8 - Windows Group Membership Check-Custom Policy with UDCs [64.41.200.246] 
Failed 
Evaluation Mate: 01/09/2020 at 15:42:18 (GMT+0530) 


Windows Group Membership Check 
Who are the members of the "Administrators" local group? 


Expected matches regular expression list 


Administrator 
Domain Admins 
qscanner 

engrdlab 

Domain Controllers 
Enterprise Admins 


IN2008R2\Administrator 
IN2008R2\qscanner 
RN\Domain Admins 


If the number of items in the list of actual values is greater than or less than the number of items in 
the list of expected values, a FAIL condition occurs. 
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is contained in 


The “is contained in” cardinality operator determines if all items in the list of actual values are 
contained in the list of expected values. All items in the list of actual values must also be in the list of 
expected values, to produce a PASS. 


1.13 - Current list of Groups and User Accounts granted the ‘Access this computer from the network’ right [64.41.200.246] 


(06/2020 at 01:00:42 (GMT +0530) 


The ‘Access this computer from the network’ right allows a User to interact with remote Windows systems. By Windows default, all use 
mix of folder'file permissions on the networked systems, certain files and/or other confidential information resources, such as print quel 
network login—these Users can potentially access file servers with non-NTFS file systems, which only enforce folder-level access.) As 
KB 823659), this right should be limited as appropriate to the needs of the business. CAUTION: If the 'Everyone group is being removi 
shall be blocked from accessing remote hosts. 


The following List String value(s) X indicate the current User Accounts defined within the Access this computer from the ne 


is contained in regular expression list 

Administrators 

Backup Operators 

OR any of the selected values below: 
Right not assigned 


Last updated: 12/10/2019 at 11:44:40 PM (GMT+0530) 


BUILTIN\Administrators 


Notice that a PASS is still produced, if the number of items in the list of actual values is less than the 
number of items in the list of expected values. 


1,13 - Current list of Groups and User Accounts granted the ‘Access this computer from the network’ right [64.41.200.246] 
ee 


aied 
GRITICA 
valuation date: 02/04/2080 at 022054 PM (GMT+0530) 


e "Access this computer from the network’ right allows a User to interact with remote Windows systems. By Windows default, all user! 
ix af fokter/file permissions on the networked systems, certain files and/or other confidential information resources, such as print queue 
etwork login—these Users can potentially access file servers with non-NTFS file systems, which only enforce folder-level access.) As thd 
B 823659), this right should be limited as appropriate to the needs of the business. CAUTION: If the ‘Everyone group is being removed, 
shall be blocked from accessing remote hosts 
The following List String value(s) X indicate the current User Accounts defined within the Access this computer from the network pol 


is contained in regular expression list 


Administrators 

Backup Operators 

OR any of the selected values below: 
Right not assigned 


Last updated: 12/10/2019 at 11:44:40 PM (GMT+0530) 
BUILTIN\Administrators 

BUILTIN Backup Operators 

BUILTIN\Power Users 

BUILTIN\Users 


If any item in the list of actual values is not within the list of expected values, a FAIL result is 
produced. 
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intersect 


If you wanted to identify a list of “Optional Software” the “intersects” cardinality operator can be 


of ‘Required software applications installed’ (64.41.200 249) 


Passed 


J 


ere correct primary user applications, such as the Microsoft Olfice Suite’ and other supporting software, are critical lo the proper user wor 
white a single rogue application can bring the entire process to a hall, the applications installed on the system should match those specified as appropriate 


The following List String values) X indicate the current list of installed applications (registered with the OS) on the system as defined within the 
the registry key checked is HKLM\Software\WoW6432Node\Microsoft\Windows\CurrentVersion\Wninstall. 


No software found 
Kay not found 


Last updated: 01/05/2020 at 21:02:59 (GMT40539) 


Microsol Visual C++ 2006 Recistribulable - x84 9.0.30729 414B:9.0.30729 4148 
Microsoft Visual C++ 2006 Redistributable - x86 9.0.30729.4148;9.0.30729 4148 
Microsoft Visual C++ 2017 Redistributable (x64) - 14.12.25810:14.12 25810.0 
Microsoft Visual C++ 2017 x64 Additional Runtime - 14.12.25810:14.12.25810 
Microsoft Visual C++ 2017 x64 Minimum Runtime - 14 12.25810:14.12.28810 
VMware Tools:9.4.0.1280544 

Wireshark 2.6.1 64-0426 1 


If any of the required software element is present, the host will pass. 
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Compliance Reports 


Authentication Report 


Authentication is a requirement for performing compliance scans, therefore, it is important to 
monitor the success and failure of authentication attempts made by your Qualys Scanner Appliance. 


An Authentication Report will help you identify failed authentication attempts and other conditions 
that could result in the failure to collect compliance data. 


The illustration below, depicts an Authentication Report taken from our Training Lab environment. 


Asset Tags Summary 
Included ( any ): 
F AG: San Jose 

Excluded ( any ): 


10 of 10 100% Successful 
0 of 10 0% Failed 
0 of 10 0% Not Attempted 


~ Results 


w Selected Asset Tags: 10 of 10 (100%) JE) 


+ Unix/Cisco/Checkpoint Firewall HF] 


Host 
64.41.200.243 (demo13.s02.sjc01.qualys.com, - 
64.41.200.244 (demo14.s02.sjc01.qualys.com, - 
64.41.200.245 (demo15.s02.sjc01.qualys.com, - 
64.41.200.250 (demo20.s02.sjc01.qualys.com, - 
Host 


+ Windows HE] 
Host 


64.41.200.246 (win2008r2.tmn.qualys.com, WIN2008R2) 
64.41.200.247 (trn-win7.trn.qualys.com, TRN-WIN7) 
64.41.200.248 (trn-win10-pro.trn.qualys.com, TRN-WIN10-PRO) 
64.41.200.249 (trn-win2012-dc.tm.qualys.com, TRN-WIN2012-DC) 
64.41.200.249 (trn-win2012-dc.tm.qualys.com, TRN-WIN2012-DC) 
64.41.200.251 (trn-win10.trn.qualys.com, TRN-WIN10) 

Host 


Host Technology 

CentOS 6.x 

Oracle Enterprise Linux 5.x 
Oracle Enterprise Linux 7.x 
CentOS 6.x 


Host Technology 


Host Technology 

Windows 2008 Server 

Windows 7 

Windows 10 

Windows 2012 R1/R2 Active Directory 
Windows 2012 Server 

Windows 10 

Host Technology 


Active Directory 2012 


Authentication attempts by the Qualys Scanner Appliance, have been successful for all lab targets. 
The following is a list of all possible authentication outcomes: 


Passed - Authentication was successful. 


Insufficient Privileges — Authentication was successful, but the Qualys scanning account was not able 
to access data needed to perform one or more compliance assessment tests. 


Host Host Technology Instance 


64.41.200.246 (demo16, DEMO16) Windows 2008 


Server 
64.41.200.247 (trn-win7.tm.qualys.com, 
TRN-WIN7) 


Failed — Authentication was not successful. 


Status Cause 


= Passed’ [Insufficient privileges 
= Unable to complete 


Windows login for 
host=64.41.200.247, 
user=qscanner, 
domain=tm.qualys.com, 
ntstatus=c000005e 


Not Attempted - An authentication record was not found for a targeted host, and therefore 


authentication was not attempted. 


Host Host Technology Instance 


64.41.200.244 (demo14 s02.sjc01.qualys.com, -) - 


Host Technology Instance 


Status Cause 


Not Host has no 
Attempted |authentication 
information associated 


with it 


Status Cause 
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A status of “Not Attempted” typically identifies host IPs that do not have a corresponding 
authentication record. 


Qualys recommends using root and Administrator equivalent accounts for all compliance scans. 


Policy Report 


The “Layout” section of a Policy Report Template provides some useful report filtering options. 


New Compliance Policy Report Template Launch Help 


Report L t 
General Information apo ayou 


Choose a grouping method for the report's detailed results section, and select the components to be included in the 


Display Group By: * | 


Trending Status: * Passed Failed Error = 


Frameworks Criticality: * UNDEFINED ~ MINIMAL MEDIUM = 


SERIOUS CRITICAL URGENT 
User Access 


Sections Layout 


You can create reports that only display “Failed” controls and focus the report on the most critical 
controls. 


New Compliance Policy Report Template Launch Help x 


General Information Last Fail Date 
First Pass Date 
Layout > 
Last Pass Date 
Display 


Remediation Info 
Trending For Failed Controls 
For Passed Controls 


Frameworks For Error Controls 


User Access | Cause of Failure 
Unexpected values 


Missing values 


Glossary 


Appendix 


The “Cause of Failure” options will help to highlight required values that are missing or unexpected. 
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Create Policy Report 


A Policy Report focuses on the controls of a single policy and may contain one or more hosts or 


technologies, within the policy scope. The evidence included for each control, helps one to 
understand the reason for any PASS or FAIL outcome. 


Navigate to the following URL to view the “Create Policy Report” tutorial: 


LAB 11 - https://ior.ad/7Sj9 


Once a specific policy has been selected, only host assets defined within the Policy Scope will be 


included in a Policy Report. Additional filtering options include: 


Report Source* 


Select a policy to draw data from. 


Policy Compliance Lab UDC Policy 


Include: 


Qau Assets in policy Select Asset Groups in policy Select IPs in policy Single Instance Select Asset Tags 


= All Assets in policy - Include all assets defined within the policy scope. 


= Select Asset Groups in policy — Include assets from one or more specific Asset Groups. 


=" Select IPs in policy — Include one or more IP addresses. 
= Single Instance — Include one or more technology instances 


= Select Asset Tags - Include assets labeled with one or more specific Asset Tags. 


A distinguishing characteristic of the Policy Report is the evidence that impacts each PASS/FAIL result. 


Y (5.28) 2239 Status of the 'PermitRootLogin' setting in the ‘sshd_config' file Status: = 


Instance: os 
Evaluation Date: 07/01/2019 at 19:40:36 (GMT-0500) 


The 'PermitRootLogin' value (in ‘/etc/ssh/sshd_config’) allows for 'direct' root login by a remote user/application to resources on the local host. As permitting direct ‘root’ login under any circumstances, except physically at the console 
(where facility tracking of user presence can be implemented), is a security risk and necessarily compromises the individual accountability and audit capability that is provided by requiring a ‘sudo’ connection for root-level activities, this 
value should be set as appropriate to the needs of the business. 


Evidence 
The following List String value(s)X indicate the current PermitRootLogin setting within the /etc/sshisshd config file. 
matches regular expression list 
no 
OR any ofthe selected values below: 
Setting not found 


File not found 


Actual Last updated: 07/01/2019 at 19:33:16 (GMT-0500) 
yes = 
Extended Evidence: 
File name Setting 
Jetc/ssh/sshd_config PermitRootLogin 


Remediation 


Configure the 'PermitRootLogin' value as appropriate to the business needs and organization's security policies. Edit the ‘/etc/ssh/sshd_config' file and look for the 'PermitRootLogin' parameter and give the appropriate 
value: PermitRootLogin <value> Example: PermitRootLogin no 


+ Cause of Failure 


This is the type of information needed by systems administrators and operational teams to correct a 


configuration error or any other type of failed requirement. 
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Interactive Reports 


When a host fails to meet a control requirement, one option involves correcting the condition that 
led to the failure. However, if a compensating control has been deployed to address the problem, 
another option involves requesting an exception for the failed control. The Policy Compliance 
Application provides Interactive Reports for requesting and managing exceptions: 


= Control Pass/Fail Report 


= Individual Host Compliance Report 


Requesting Exceptions 


Navigate to the following URL to view the “Interactive Report” tutorial: 


LAB 12 - https://ior.ad/7Sqv 


To request an exception for a failed control, you have the option of running one of two interactive 


reports. Interactive reports have very short lives; they are not saved (like other reports) under the 
“Reports” tab. 


New Compliance Interactive Report Launch Help 


Select an interactive report from the list below. 


Real-time Reports 


Report Types Preview 
Control Pass/Fail 
Individual Host Compliance QvawsGuaro 


Control Pass/Fail/Error Report 


Asset Group nfo 


Description 


The Control Pass/Fail/Error Report identifies the compliance status for a particular 
control. When you run this report, you'll specify a policy and a control from that 
policy to report on. Hosts are listed with a pass, fail or error status for the specified 
control. 


Run _ Cancel | 


An interactive report will remain running, until you have successfully completed one or more 
exception requests. Interactive reports that are closed are not saved, but can easily be recreated. 
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The “Individual Host Compliance” report (below) displays all control test outcomes for a single host. 


Report Setup Launch Help 


Policy 


Layout CIS Benchmark for Microsoft Windows 10 Enterprise (Release 1803), vi ¥ 


Asset Group Select an item NA 

Asset Tags: 
Include hosts that have Any 'v ofthe tags below. Add Tag 
€ Window 10 
Do not include hosts that have Any ~of the tags below. Add Tag 


=> IP Address: 64.41.200.248 © Select 


Once a policy and assets have been selected, an individual host IP address (from the policy scope) 
must be specified. 


The “Control Pass/Fail” report (below) displays the results or outcomes for a single control, on one or 
more host assets. 


Report Setup Launch Help 


Layout Policy CIS Benchmark for Microsoft Windows 10 Enterprise (Release 1803), v1 M 
Asset Group Select an item MA 


Asset Tags: 
Include hosts that have Any ~ of the tags below. 


[ Window 10 


Do not include hosts that have Any ~ of the tags below. 


=p Control: Status of the ‘Minimum Password Length’ setting €9 Select 


Once the policy and assets have been selected, an individual Control ID (from the policies list of 
controls) must be specified. 
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Report Setup Launch Help 


Target Layout 


Layout > Display: * Passed @ Failed ff Error 


Criticality: * © UNDEFINED @ MINIMAL @ MEDIUM 
SERIOUS CRITICAL @ URGENT 


Order 


In most cases, you will request exceptions for failed controls. Alternatively, you have the option to 
filter controls by their “Criticality.” 


Category Posture 

1.1 1318 1.1.1 Status of the 'Enforce password history' set Access Control Requir Failed URGENT kan 
ting ements 

1.2 3376 1.1.2 Status of the 'Maximum Password Age' set Access Control Requir Failed URGENT Request 
ting (expiration) ements 

1.3 1072 1.1.3 Status of the 'Minimum Password Age' setti Access Control Requir Failed URGENT Request 
ng ements 

14 1071 114 Status of the 'Minimum Password Length's Access Control Requir Failed CRITICAL Request 
etting ements 
Status of the 'Password Complexity Requir Access Control Requir Failed Request 


Notice the “Exception” column (on the right-side). The “Request” links allow you to request an 
exception, for the controls that are listed. 


Request Exception Turn help tips: On | Off Launch Help 
Details 


Assign to: * Qualys Auditor (Auditor: trann3qe25 ) 


Comments: * 
Please provide 90-day exception for Training Lab hosts. 


Reopen exception on change of evidence 


plies y if the exception is appro 


at is different than the current valų 


Request | 


By default, exception requests will be assigned to an “Auditor” account. Optionally, exception 
requests can be assigned to a “Manager” account. The examples in this lab tutorial use the “Auditor” 
account. The “Comments” field is required. 
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Order CID Reference Control Category Criticality Exception 


Posture 
11 1318 144 Status of the 'Enforce password history's Access Control Reaif Passed] URGENT Approved 


etting rements 
112 3376 1.1.2 Status of the 'Maximum Password Age'se Access Control Requi Failed URGENT Expired 
tting (expiration) rements 
913 1072 1.1.3 Status of the 'Minimum Password Age' set Access Control Requi Failed URGENT Expired 
ting rements 
N14 1071 114 Status of the 'Minimum Password Length' Access Control Requi Failed URGENT Expired 
setting rements 
1.5 1092 1.1.5 Status of the 'Password Complexity Requi Access Control Requi Failed URGENT Pending 
rements' setting rements 
16 2484 1.1.6 Status of the ‘Store passwords using rever Access Control Requi Passed URGENT 
sible encryption’ setting rements 
1.7 2841 1.24 Status of the ‘Account Lockout Duration's Access Control Requi Passed URGENT 
etting (invalid login attempts) rements 


The values displayed in the “Exception” as well as the “Posture” columns will change, as selected 
controls go through the exception handling process. Auditors have the option of assigning expiration 
dates to approved exceptions. If the control is failing (at the time of its expiration date), “Expired” 
will be displayed in the “Exception” column. 
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Working With Exception Requests 


When editing exception requests, an Auditor must determine the impact of allowing a failed 
control/host to be exempted from a policy. It is common for some type of compensating control to 
be implemented, as justification or cause for approval. 


Policies Scans Reports Exceptions Assets Users 


:— Exceptions 


New w || Search | Fillers w 


IP Address Technology Policy 


64.39.106.248 fv] Quick actions qualys-2/7/11-CUST( 


Info | Policy 
Edit | 


When granting any exception, Auditors should always take into account, the regulations, standards, 
and mandates that impact your organization or business. 


Navigate to the following URL to view the “Working With Exception Requests” tutorial: 


PLAY J LAB 13 - https://ior.ad/7Sr0 


The Auditor Role 


The role of Auditor was created primarily to approve or reject exceptions requested for failing hosts. 
To properly fulfill this role an auditor should be familiar with your organizations security policies, 
governing regulations, as well as security frameworks. 


In addition to approving/rejecting exceptions, auditors can: 


= Create and edit policies 
= Generate reports 
= Add new controls to the Control Library 


Additional Auditor Characteristics: 


= Auditors cannot be added to a Business Unit. 

= Auditors cannot run compliance scans. 

= Auditors have access to all hosts in your Policy Compliance subscription (and cannot be 
restricted to a single Asset Group). 

= Auditors only have visibility into compliance data (not vulnerability data). 

= Other user roles cannot be changed to the role of Auditor. 


Although a “Manager” account can also be used to approve exception requests, the examples in this 
lab tutorial use the “Auditor” account. 
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Edit Exception: Tum help tips: On! Off LaunchHelp [A x 


Details 


Action: Approved 
End Date: 03/31/2021 En 
Reassign: * Qualys Auditor (Auditor: trann3qe25 ) 


Comments: * 
Training Lab hosts are granted an exception for 90-days 


Reopen exception on change of evidence 


error 


An Exception can be reassigned, approved or rejected. An approved exception can be set to expire 
ona specific date. Approved exception requests will be noted in the next interactive report. If an 
exception request is rejected, it will keep its failed status. 


The option to “Reopen exception on change of evidence,” will reopen an “approved” exception, if a 
future scan returns a value that is different than the current value, and the control is still failing. 
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Policy Compliance Certification Exam 


Participants in this training course have the option to take the Policy Compliance Certification 
Exam. This exam is provided through our Learning Management System (qualys.com/learning). 
To take the exam, candidates will need a “learner” account. 


@ Qualys. Training & Certification 


qualys.com/learning 


Login 


Please log in to the Qualys training site. First time users 
need to create an account. 


*Required Field 

*Username: 

* Password: 

Forgot your password? Request a new account. = 


If you would like to take the exam, but do not already have a “learner” account, click the “Request 
a new account” link (above), from the “Qualys Training & Certification” login page 
(qualys.com/learning). 


Once you have created a “learner” account (and for those who already have an account), click the 
following link to access the “QSC 2021 Configuration Assessment & Response” course page: 


https://gml.geolearning.com/geonext/qualys/scheduledclassdetails4enroll.geo?&id=22511237828 


@ Qualys. Training & Certification 


My Homer Learner Information~ å- 


Course Catalog: Class Details @ 


Course: Configuration Assessment and Response - QSC 2021 Close Record 


To see how a class below fits into your schedule, click View My Class Schedule. 


CLASS DETAILS: COMPLIANCE - QSC 2021 
Course Name: Configuration Assessment and Response - QSC 2021 
Class Name: Compliance - QSC 2021 
Class Code: 2250729076520210917130908 
Contact Name: Phil Niegos 
Private Class: Yes 


Maximum Class 150 
Capacity: 


Class Cost: 50.00 


Session Location Classroom Address 1 Times Instructor(s) 

Name. 

Session 1 Las Vegas - Las Vegas - Bellagio - 3600 Las Vegas Tuesday, November 16, 2021 9:00 AM to 5:00 PM Philip Niegos 
Bellagio Classroom A Blvd. South. (America/Los Angeles) (UTC -08:00) 


= (tr | 


From the course page, click the “Enroll” button (lower-right corner). 
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After successfully completing the course enrollment, click the “Launch” button, for the Qualys 
Policy Compliance Exam. 


@ Qualys. Training & Certification 


My Home- Learner Information ~ å- 
@ 
Configuration Assessment and Response - QSC 2021 Close Record 
Class Name Date Classroom Instructor(s) 
Compliance - QSC 2021 Tuesday, November 16, 2021 9:00 AM to 5:00 PM (America/Los Angeles) (UTC -08:00) Las Vegas - Bellagio - Classroom A Philip Niegos 


To access a learning activity, select the activity name and click Launch or Open. 


Activity Name . Type Score Progress Time Taken Attempts Action 
QSC 2021 Configuration Assessment & Response Lab Supplement fl pdf N/A N/A N/A 0 | open | 
QSC 2021 Configuration Assessment & Response Slides El pdf N/A N/A N/A 0 | open | 


Qualys Policy Compliance Exam Actual Test N/A Not Attempted N/A = EI 


Each candidate is provided five attempts to pass the exam. You may use the course presentation 
slides and lab tutorial supplement to help you answer the exam questions. You may also use any 
of the resources within the Qualys UI (such as the “Help” menu) and resources found on the 
Qualys Community (community.qualys.com) to answer exam questions. 


@ Qualys. Training & Certification 


MyHome- Learner Information + ê- 
@ 
Qualys Vulnerability Management Detection & Response - QSC 2020 [close Record ] 


Progress: Completed Status: Enrolled Required: No Duration: 6 hours 


= Print Certificate 


Class Name Date Instructor(s) 


VMDR - QSC 2020 Tuesday, November 17, 2020 9:00 AM to 4:00 PM (America/Los_Angeles) (UTC -08:00) Philip Niegos 


To access a learning activity, select the activity name and click Launch or Open. 


Activity Name à Type Score Progress Last Accessed Action 

QSC20 VMDR Lab Tutorial Supplement Epaf N/A N/A N/A | open | 
QSC20 VMDR Presentation Slides Epaf N/A N/A N/A E3 
Qualys Vulnerability Management Detection & Response (VMDR) Exam Actual Test 100% Passed 11/3/2020 7:38:14 PM E3 


With a passing score of 75% (or greater), click the “Print Certificate” button to download and 
print your course exam certificate. 
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Course Survey and Trial Account 


Please lets us know what you think about the “QSC 2021 Configuration Assessment & Response” 
training course. 


Survey - https://forms.office.com/r/rsy0Aja6X7 


Would you like a trial account to practice and experiment with the lessons and topics provided in 


this course? 
Link to Trial - https://www.qualys.com/free-trial 
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